Full Report
[Control systems] Mitsubishi Electric security advisory (AV26-191)
Analysis Summary
# Vulnerability: Denial-of-Service in Mitsubishi Electric MELSEC iQ-F Series Modules
## CVE Details
- **CVE ID:** CVE-2024-11884, CVE-2024-11885
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:**
- MELSEC iQ-F Series FX5-ENET/IP Ethernet Module
- MELSEC iQ-F Series FX5-EIP EtherNet/IP Module
- **Versions:** All versions currently released.
- **Configurations:** Systems with the Ethernet/IP or Ethernet functions enabled and accessible via the network.
## Vulnerability Description
The affected modules contain multiple vulnerabilities in their Ethernet communication functions. Specifically, the modules do not properly handle certain types of malformed or high-volume network traffic. An attacker can send specially crafted packets to the module, leading to a resource exhaustion state or a processing error that causes the communication function to hang or the module to restart.
## Exploitation
- **Status:** Not exploited (No known active exploitation in the wild at the time of advisory).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Results in Denial of Service (DoS) of the control module).
## Remediation
### Patches
Mitsubishi Electric is currently preparing firmware updates to address these vulnerabilities. Users are advised to monitor the Mitsubishi Electric PSIRT portal for the release of:
- FX5-ENET/IP Firmware Update (Version TBD)
- FX5-EIP Firmware Update (Version TBD)
### Workarounds
Until patches are available, the following mitigations are recommended:
- **Network Segmentation:** Use firewalls or VPNs to prevent unauthorized access to the affected modules from untrusted networks.
- **Physical Isolation:** Restrict network access to the modules to only the necessary workstations and authorized IP addresses.
- **Access Control:** Implement IP address filtering (Access Hierarchy) to ensure only authorized controllers and PCs can communicate with the modules.
## Detection
- **Indicators of Compromise:** Unexpected loss of communication with the FX5-ENET/IP or FX5-EIP modules; frequent or unexplained module resets.
- **Detection methods and tools:** Monitor network traffic for anomalous EtherNet/IP traffic patterns or high-frequency scanning targeting industrial protocols. Use Industrial Intrusion Detection Systems (IIDS) to flag malformed CIP (Common Industrial Protocol) packets.
## References
- **Vendor Advisories:** hxxps[://]www[.]mitsubishielectric[.]com/psirt/vulnerability/pdf/2025-021_en[.]pdf
- **CCCS Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-mitsubishi-electric-security-advisory-av26-191